You are on page 1of 26


ASP.NET Web API is a framework that makes it easy to build
HTTP services that reach a broad range of clients, including
through desktop and mobile devices which makes it an ideal
platform to build RESTful applications
We start by showing you how to set up a browser client to
utilize ASP.NET Web API services. We then cover ASP.
NET Web API's security architecture, authentication, and
authorization to help you secure a web API from unauthorized
users and learn how to use SSL with ASP.NET Web API,
including using SSL client certificates, and integrate the ASP.
NET Identity system with ASP.NET Web API. We'll show you
how to secure a web API using OAuth2 to authenticate against
a membership database using OWIN middleware. You will be
able to use local logins to send authenticated requests using
OAuth2 and help you implement anti-Cross-Site Request
Forgery (CSRF) measures in ASP.NET Web API. Finally, you
will discover how to enable Cross-Origin Resource Sharing
(CORS) in your web API application.

This book is intended for anyone who has previous
knowledge of developing ASP.NET Web API applications. A
good working knowledge and experience with C# and.NET
Framework are prerequisites for this book.

„ Secure your web API by enabling Secured
Socket Layer (SSL)
„ Manage your application's user accounts by
integrating ASP.NET's Identity system
„ Ensure the security of your web API by
implementing basic authentication
„ Implement forms and Windows authentication
to secure your web API

„ Protect and fortify your web API from CSRF
attacks using OAuth2
„ Enable CORS in your web API to explicitly
allow some cross-origin requests while
rejecting others

$ 34.99 US
£ 22.99 UK

community experience distilled



E x p e r i e n c e

D i s t i l l e d

Security Essentials
Take the security of your ASP.NET Web API to the next level
using some of the most amazing security techniques around

Prices do not include
local sales tax or VAT
where applicable

Visit for books, eBooks,
code, downloads, and PacktLib.



C o m m u n i t y

„ Use external authentication such as Facebook
and Twitter to authenticate a request to a
web API

Rajesh Gunasundaram

Who this book is written for

What you will learn from this book

ASP.NET Web API Security Essentials

Security Essentials


Rajesh Gunasundaram

In this package, you will find:

The author biography
A preview chapter from the book, Chapter 1 'Setting up a Browser Client'
A synopsis of the book’s content
More information on ASP.NET Web API Security Essentials

About the Author
Rajesh Gunasundaram is a software architect, technical writer and blogger. He

has over 13 years of experience in the IT industry, with more than 10 years using
Microsoft's .NET and 2 years of using BizTalk Server, and a year of iOS application

Rajesh is a founder and an editor of technical blogs: and You can find many of his technical writings on .NET and iOS.
Rajesh holds a master's degree in computer application and began his career as a
software engineer in the year 2002. He has worked on client premises located in
various countries, such as the UK, Belarus, and Norway. He is also experienced in
developing mobile applications for iPhone and iPad.
His technical strengths include Objective-C, C#, ASP.NET MVC, Web API, WCF,
.Net Framework 4.5, AngularJS, BizTalk, SQL Server, REST, SOA, design patterns,
and software architecture.

ASP.NET Web API is a framework that makes it easy to build HTTP services that
reach a broad range of clients, including browsers and mobile devices. It is an ideal
platform to build RESTful applications on the .NET Framework.
This book provides a practical guide to secure your ASP.NET Web API by various
security techniques, such as integrating the ASP.NET Identity system, implementing
various authentication mechanisms, enabling Secured Socket Layer (SSL), preventing
cross-site request forgery attacks, and enabling cross-origin resource sharing.

What this book covers
Chapter 1, Setting up a Browser Client, helps you to set up a browser client in order to
use Web API services. It also covers ASP.NET Web API Security Architecture and
authentication, and authorization to secure a web API from unauthorized users.
Chapter 2, Enabling SSL for ASP.NET Web API, explains how to use SSL with ASP.
NET Web API, including using SSL client certificates. There are several common
authentication schemes that are not secured over plain HTTP in particular Basic
authentication and forms authentication, which send unencrypted credentials. In
order to be secure, these authentication schemes must use SSL. In addition to this,
SSL client certificates can be used to authenticate clients.
Chapter 3, Integrating ASP.NET Identity System with ASP.NET Web API, explains
how to integrate the ASP.NET Identity system with ASP.NET Web API. The ASP.
NET Identity system is designed to replace the previous ASP.NET Membership and
Simple Membership systems. It includes profile support and OAuth integration. It
works with OWIN and is included with ASP.NET templates that are shipped with
Visual Studio 2013 and later versions.


Chapter 4, Securing a web API using OAuth2, shows you how to secure a web API
using OAuth2 to authenticate against a membership database using the OWIN
middleware. You will be able to use local logins to send authenticated requests
using OAuth2.
Chapter 5, Enabling Basic Authentication using Authentication Filters in Web API, covers
how to set an authentication scheme for individual controllers or actions using
Authentication filters. This chapter shows an authentication filter that implements
the HTTP Basic Access Authentication scheme. It will also cover the advantages and
disadvantages of using Basic Authentication.
Chapter 6, Securing a Web API using Forms and Windows Authentication, explains how
to secure a web API using Forms Authentication and how users can log in with
their Windows credentials using Integrated Windows Authentication. You will
also get to learn the advantages and disadvantages of using Forms and Windows
Authentication in Web API. Forms authentication uses an HTML form to send the
user's credentials to the server. Integrated Windows Authentication enables the users
to log in with their Windows credentials, using Kerberos or NTLM. The client sends
credentials in the Authorization header. Windows authentication is best suited for an
intranet environment.
Chapter 7, Using External Authentication Services with ASP.NET Web API, helps you to
understand the need for external authentication services in order to enable OAuth/
OpenID and social media authentication. Using external authentication services
helps in reducing development time when creating new web applications. Web users
typically have several existing accounts for popular web services and social media
websites; therefore, when a web application implements the authentication services
from an external web service or social media website, it saves the development time
that would have been spent while creating an authentication implementation. Using an
external authentication service saves the end users from creating another account for
the web application and having to remember yet another username and password.
Chapter 8, Preventing Cross-Site Request Forgery (CSRF) Attacks in Web API, helps
you to implement anti-CSRF measures in ASP.NET Web API. Using an API keybased authentication, or a more sophisticated mechanism such as OAuth, helps in
preventing CSRF attacks. ASP.NET MVC uses anti-forgery tokens, which are also
called request verification tokens.
Chapter 9, Enabling Cross-Origin Resource Sharing (CORS) in ASP.NET Web API,
explains how to enable CORS in your Web API application. Browser security
prevents a web page from making AJAX requests to another domain. This restriction
is called the same-origin policy and prevents a malicious site from reading sensitive
data from another site. However, sometimes you might want to let other sites call
your web API.

Setting up a Browser Client
If you are reading this book, it is because you understand the importance of securing
your web API. ASP.NET Web API is a framework that helps in building HTTP
services that can be utilized by a wide range of clients. So it is very important to
secure your Web API.
ASP.NET Web API 1.0 doesn't have any security features so the security is provided
by the host such as Internet Information Server. In ASP.NET Web API 2, security
features such as Katana were introduced. To secure Web API, let's understand
various techniques that are involved and choose the right approach.
In this chapter, we will cover the following topics:

ASP.NET Web API security architecture

Setting up your browser client

Authentication and authorization

Implementing authentication in HTTP message handlers

Setting the principal

Using the [Authorize] Attribute

Custom authorization filters

Authorization inside a controller action


Setting up a Browser Client

ASP.NET Web API security architecture
This section will give you an overview of the Web API security architecture and show
you all the various extensibility points that can be used for security related things.
The ASP.NET Web API security architecture is composed of three main layers. The
hosting layer acts as an interface between the Web API and network stacks. The
message handler pipeline layer enables implementing cross-cutting concerns such as
authentication and caching. The controller handling layer is where the controllers and
actions are executed, parameters are bound and validated, and HTTP response message
is created. This layer also contains a filter pipeline, as shown in the following figure:

Fig 1 – This image shows the components involved in securing the Web API

Let's briefly discuss the purpose of each components in the Web API pipeline,
as follows:

Open Web Interface for .NET (OWIN) is the new open standard hosting
infrastructure. Microsoft has built its own framework called Katana on top of
OWIN and all Web API security techniques such as authentication methods
(for example, token-based authentication) and support for social login providers
(for example, Google and Facebook) will be happening on the OWIN layer.

Message Handler is a class that receives an HTTP request and returns an
HTTP response. Implementing authentication at message handler level is
not recommended. Message handlers are used for Cross-Origin Resource
Sharing (CORS).

Authentication Filters are guaranteed to run before the authorization filter.
If you are not interested in operating your authentication logic at the OWIN
layer, you can straightaway move to controllers or actions. Authentication
filters are really useful to invoke OWIN-based authentication logic.

Authorization Filters are the places in the pipeline where you can recheck
the request before the actual expensive business logic stuff runs in the model
binding and validation, and the controller action is invoked.

Now that we are familiar with the security architecture, we will set up the client.

Chapter 1

Setting up your browser client
Let's create a Web API for Contact Lookup. This Contact Lookup Web API service
will return the list of contacts to the calling client application. Then we will be
consuming the Contact Lookup service using the jQuery AJAX call to list and
search contacts.
This application will help us in demonstrating the Web API security throughout
this book.

Implementing Web API lookup service
In this section, we are going to create a Contact Lookup web API service that returns
a list of contacts in the JavaScript Object Notation (JSON) format. The client that
consumes this Contact Lookup is a simple web page that displays the list of contacts
using jQuery. Follow these steps to start the project:
1. Create New Project from the Start page in Visual Studio.
2. Select Visual C# Installed Template named Web.
3. Select ASP.NET Web Application in the center pane.
4. Name the project ContactLookup and click OK, as shown in the
following screenshot:

Fig 2 – We have named the ASP.NET Web Application "ContactLookup"


Setting up a Browser Client

5. Select the Empty template in the New ASP.NET Project dialog box.
6. Check Web API and click OK under Add folders and core references, as
shown in the following:

Fig 3 – We select the Empty Web API template

We just created an empty Web API project. Now let's add the required model.

Adding a model
Let's start by creating a simple model that represents a contact with the help of the
following steps:
1. First, define a simple contact model by adding a class file to the
Models folder.


Chapter 1

Fig 4 – Right-click on the Models folder and Add a Model Class

2. Name the class file Contact and declare properties of the Contact class.
namespace ContactLookup.Models
public class Contact
public int Id { get; set; }
public string Name { get; set; }
public string Email { get; set; }
public string Mobile { get; set; }

We just added a model named Contact. Let's now add the required web API controller.


Setting up a Browser Client

Adding a controller
HTTP requests are handled by controller objects in Web API. Let's define a controller
with two action methods. One action to return the list of contacts and other action to
return a single contact specific to a given ID:
1. Add the Controller under the Controllers folder in Solution Explorer.

Fig 5 – Right-click on the Controllers folder and Add a Controller

2. Select Web API Controller – Empty and click on Add in the Add
Scaffold dialog.


Chapter 1

Fig 6 – Select an Empty Web API Controller

3. Let's name the controller ContactsController in the Add Controller dialog
box and click Add.

Fig 7 – Naming the controller


Setting up a Browser Client

This creates the ContactsController.cs file in the Controllers folder as shown in
the following image:

Fig 8 – ContactsController is added to the Controllers folder in the application

1. Replace the code in ContactsController with the following code:
namespace ContactLookup.Controllers
public class ContactsController : ApiController
Contact[] contacts = new Contact[]
new Contact { Id = 1, Name = "Steve", Email = "steve@", Mobile = "+1(234)35434" },
new Contact { Id = 2, Name = "Matt", Email = "matt@", Mobile = "+1(234)5654" },
new Contact { Id = 3, Name = "Mark", Email = "mark@", Mobile = "+1(234)56789" }
public IEnumerable<Contact> GetAllContacts()
return contacts;


Chapter 1
public IHttpActionResult GetContact(int id)
var contact = contacts.FirstOrDefault(x => x.Id ==
if (contact == null)
return NotFound();
return Ok(contact);

For simplicity, contacts are stored in a fixed array inside the controller class. The
controller is defined with two action methods. List of contacts will be returned by the
GetAllContacts method in the JSON format and the GetContact method returns a
single contact by its ID. A unique URI is applied to each method on the controller as
given in the following table:
Controller Method







Setting up a Browser Client

Consuming the Web API using JavaScript
and jQuery
In this section, in order to demonstrate calling the web API with or without any
security mechanisms, let's create an HTML page that consumes web API and update
the page with the results using the jQuery AJAX call:
1. In the Solution Explorer pane, right-click on the project and add New Item.

Fig 9 – Select add new item from the context menu in Solution Explorer

[ 10 ]

Chapter 1

2. Create HTML Page named index.html using the Add New Item dialog.

Fig 10 – Add an index html file by selecting HTML page in the Add New Item dialog

3. Replace the content of the index.html file with the following code:
<!DOCTYPE html>
<html xmlns="">
<title>Contact Lookup</title>
<h2>All Contacts</h2>
<ul id="contacts" />
<h2>Search by ID</h2>
<input type="text" id="contactId" size="5" />
<input type="button" value="Search" onclick="search();" />
<p id="contact" />

[ 11 ]

Setting up a Browser Client
<script src=""></script>
var uri = 'api/contacts';
$(document).ready(function () {
// Send an AJAX request
.done(function (data) {
// On success, 'data' contains a list of contacts.
$.each(data, function (key, contact) {
// Add a list item for the contact.
$('<li>', { text: formatItem(contact)

function formatItem(contact) {
return contact.Name + ', email: ' + contact.Email + ',
mobile: ' + contact.Mobile;
function search() {
var id = $('#contactId').val();
$.getJSON(uri + '/' + id)
.done(function (data) {
.fail(function (jqXHR, textStatus, err) {
$('#contact').text('Error: ' + err);

[ 12 ]

Chapter 1

Getting a list of contacts
We need to send an HTTP GET request to /api/contacts to get the list of contacts.
The AJAX request is sent by the jQuery getJSON function and the array of JSON
objects is received in the response. A callback function in the done function is
called if the request succeeds. In the callback, we update the DOM with the contact
information, as follows:
$(document).ready(function () {
// Send an AJAX request
.done(function (data) {
// On success, 'data' variable contains a list of
$.each(data, function (key, contact) {
// Add a list item for the contact.
$('<li>', { text: formatItem(contact)

Getting a contact by ID
To get a contact by ID, send an HTTP GET request to /api/contacts/id, where id
is the contact ID.
function search() {
var id = $('#contactId').val();
$.getJSON(uri + '/' + id)
.done(function (data) {
.fail(function (jqXHR, textStatus, err) {
$('#contact').text('Error: ' + err);

The request URL in getJSON has the contact ID. The response is a JSON
representation of a single contact for this request.

[ 13 ]

Setting up a Browser Client

Running the application
Start debugging the application by pressing F5. To search for a contact by ID, enter
the ID and click on Search:

Fig 11 – User Interface of the Sample Browser-based Client Application

Authentication and authorization
We have created a simple web API that returns the list of contacts or specific contacts
by ID. This web API can be accessed by any client that supports HTTP and is not
secured enough. With the help of authentication and authorization mechanisms, we
can secure this web API from unauthorized access.

Authentication mechanism helps in identifying the valid user and
authenticating them using the identity of the user. Here, the identity
can be a username and password.

Authorization mechanism helps in restricting unauthorized access to an
action. For example, An unauthorized user can get the list of contacts.
But he is restricted to create new contact.

Authentication is carried out in the host Internet Information Service (IIS) for web
API. Internet Information Service uses HTTP modules for authentication. We can
also implement custom authentication with our own HTTP module.

[ 14 ]

Chapter 1

The host creates a principal when it authenticates the user. Principal is an
IPrincipal object that represents the security context under which the code is
running. You can access the current principal from Thread.CurrentPrincipal,
which is attached by the host. The user information can be accessed from the
Identity object of principal. The Identity.IsAuthenticated property returns true
if the user is authenticated. The Identity.IsAuthenticated will return false if the
user is not authenticated.

Authorization happens after successful authentication is provided to the controller. It
helps you to grant access to resources when more granular choices are made.
For any unauthorized requests, the authorization filter returns an error response and
does not allow the action to be executed. This happens as the authorization filters
will be executed first before any statements in the controller action.

Implementing authentication in HTTP
message handlers
For a self-hosted web API, the best practice is to implement authentication in an
HTTP Message Handler. The principal will be set by the message handler after
verifying the HTTP request. For a web API that is self-hosted, consider implementing
authentication in a message handler. Otherwise, use an HTTP module instead.
The following code snippet shows an example of basic authentication implemented
in an HTTP module:
public class AuthenticationHandler : DelegatingHandler
protected override Task<HttpResponseMessage>
SendAsync(HttpRequestMessage request,
CancellationToken cancellationToken)
var credentials = ParseAuthorizationHeader(request);
if (credentials != null)
// Check if the username and passowrd in credentials
are valid against the ASP.NET membership.
// If valid, the set the current principal in the
request context
[ 15 ]

Setting up a Browser Client
var identity = new GenericIdentity(credentials.
Thread.CurrentPrincipal = new
GenericPrincipal(identity, null);;
return base.SendAsync(request, cancellationToken)
.ContinueWith(task =>
var response = task.Result;
if (credentials == null && response.StatusCode ==
Challenge(request, response);
return response;
protected virtual Credentials ParseAuthorizationHeader(HttpReq
uestMessage request)
string authorizationHeader = null;
var authorization = request.Headers.Authorization;
if (authorization != null && authorization.Scheme ==
authorizationHeader = authorization.Parameter;
if (string.IsNullOrEmpty(authorizationHeader))
return null;
authorizationHeader = Encoding.Default.GetString(Convert.
var authenticationTokens = authorizationHeader.Split(':');
if (authenticationTokens.Length < 2)
return null;
return new Credentials() { Username =
authenticationTokens[0], Password = authenticationTokens[1], };
void Challenge(HttpRequestMessage request, HttpResponseMessage

[ 16 ]

Chapter 1
response.Headers.Add("WWW-Authenticate", string.
Format("Basic realm=\"{0}\"", request.RequestUri.DnsSafeHost));
public class Credentials
public string Username { get; set; }
public string Password { get; set; }

Setting the principal
If the application has the custom authentication logic implemented, then we must set
the principal in two places:

Thread.CurrentPrincipal is the standard way to set the thread's principal

HttpContext.Current.User is specific to ASP.NET.

in .NET.

The following code shows setting up the principal:
private void SetPrincipal(IPrincipal principal)
Thread.CurrentPrincipal = principal;
if (HttpContext.Current != null)
HttpContext.Current.User = principal;

Using the [Authorize] attribute
AuthorizeAttribute will make sure if the user is authenticated or unauthenticated.
Unauthorized error with HTTP status code 401 will be returned if the user is not
authenticated and the corresponding action will not be invoked. Web API enables
you to apply the filter in three ways. We can apply them at global level, or at the
controller level, or at the individual action level.

[ 17 ]

Setting up a Browser Client

Global authorization filter
To apply authorization filter for all Web API controllers, we need to add the
AuthorizeAttribute filter to the global filter list in the Global.asax file as
given below:
public static void Register(HttpConfiguration config)
config.Filters.Add(new AuthorizeAttribute());

Controller level authorization filter
To apply an authorization filter for a specific controller, we need to decorate the
controller with filter attribute as given in the following code:
// Require authorization for all actions on the controller.
public class ContactsController : ApiController
public IEnumerable<Contact> GetAllContacts() { ... }
public IHttpActionResult GetContact(int id) { ... }

Action level authorization filter
To apply an authorization filter for specific actions, we need to add the attribute to
the action method as given in the following code:
public class ContactsController : ApiController
public IEnumerable<Contact> GetAllContacts() { ... }
// Require authorization for a specific action.
public IHttpActionResult GetContact(int id) { ... }

[ 18 ]

Chapter 1

Custom authorization filters
To implement a custom authorization filter, we need to create a class that
derives either AuthorizeAttribute, AuthorizationFilterAttribute, or

AuthorizeAttribute: An action is authorized based on the current user and

the user's roles.

AuthorizationFilterAttribute: Synchronous authorization logic is

IAuthorizationFilter: Both AuthorizeAttribute and
AuthorizationFilterAttribute implement IAuthorizationFilter.
IAuthorizationFilter is to be implemented if advanced authorization

applied and it may not be based on the current user or role.

logic is required.

Authorization inside a controller action
Sometimes, it may be required to change the behavior after processing the request
based on the principal. In such scenarios, we can implement authorization in a
controller action. For example, if you would like to manipulate the response based on
the user's role, we can verify the logged-in user role from the ApiController.User
property in the action method itself:
public HttpResponseMessage Get()
if (!User.IsInRole("Admin"))
// manipulate the response to eliminate information that
shouldn't be shared with non admin users

[ 19 ]

Setting up a Browser Client

That was easy, wasn't it? We just set up the security for our APS.NET Web API that
we will build upon in the upcoming chapters.
You learned about the security architecture of ASP.NET Web API that gave an
overall view of what's under the hood. We then set up our browser client, from
implementing the Web lookup service to calling the Web API with JavaScript and
jQuery code.
You also learned about authentication and authorization techniques, which we
will be covering in great detail later in the book. Moving on, you learned about
HTTP Message Handlers, Principal, and the [Authorize] Attribute to control the
authorization for the users.
Finally, you learned about custom authorization and authorization in a controller
action to alter the behavior after processing the request based on the principal.
You learned a lot of stuff in this chapter. However, this is just the beginning. In the
next chapter, you will implement a secured socket layer to the Web API. Let's get the
ball rolling!

[ 20 ]

Get more information ASP.NET Web API Security Essentials

Where to buy this book
You can buy ASP.NET Web API Security Essentials from the Packt Publishing website.
Alternatively, you can buy the book from Amazon,, Computer Manuals and most internet
book retailers.
Click here for ordering and shipping details.

Stay Connected: